Bug#303288: marked as done (tetex-bin: CAN-2005-0064 fix was incomplete)
Your message dated Wed, 6 Apr 2005 16:32:33 +0200
with message-id <20050406143233.GA5968@informatik.uni-bremen.de>
and subject line I missed the missing encryption support
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Apr 2005 20:06:22 +0000
>From jmm@inutil.org Tue Apr 05 13:06:22 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DIuJZ-0004SR-00; Tue, 05 Apr 2005 13:06:22 -0700
Received: from p54897291.dip.t-dialin.net ([84.137.114.145] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DIuJV-0004XD-10
for submit@bugs.debian.org; Tue, 05 Apr 2005 22:06:18 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DIuJK-0001u1-2V; Tue, 05 Apr 2005 22:06:06 +0200
Content-Type: multipart/mixed; boundary="===============0832715301=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-bin: CAN-2005-0064 fix was incomplete
X-Mailer: reportbug 3.9
Date: Tue, 05 Apr 2005 22:06:04 +0200
Message-Id: <[🔎] E1DIuJK-0001u1-2V@localhost.localdomain>
X-SA-Exim-Connect-IP: 84.137.114.145
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============0832715301==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: tetex-bin
Version: 2.0.2-27
Severity: grave
Tags: security patch
Justification: user security hole
Dear TeX maintainers,
the patch you used to fix CAN-2005-0064 in -26 seems to have been derived from
xpdf 3.00-12, which unfortunately was missing a portion of the security fix
(the one that is referenced as xpdf 3.00pl3 at the xpdf website, this has been
fixed in xpdf 3.00-13). Attached patch provides the necessary fix for the
tetex-bin package.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Versions of packages tetex-bin depends on:
ii debconf 1.4.47 Debian configuration management sy
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii dpkg 1.10.27 Package maintenance system for Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgcc1 1:4.0-0pre2 GCC support library
ii libice6 4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii libkpathsea3 2.0.2-27 path search library for teTeX (run
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsm6 4.3.0.dfsg.1-12.0.1 X Window System Session Management
ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libwww0 5.4.0-9 The W3C WWW library
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii libxaw7 4.3.0.dfsg.1-12.0.1 X Athena widget set library
ii libxext6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous exte
ii libxmu6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous util
ii libxt6 4.3.0.dfsg.1-12.0.1 X Toolkit Intrinsics
ii mime-support 3.31-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.4-8 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii tetex-base 2.0.2c-7 Basic library files of teTeX
ii ucf 1.17 Update Configuration File: preserv
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- debconf information excluded
--===============0832715301==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="tetex-bin-CAN-2005-0064-missing-check.diff"
diff -Naur tetex-bin-2.0.2.orig/libs/xpdf/xpdf/XRef.cc tetex-bin-2.0.2/libs/xpdf/xpdf/XRef.cc
--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/XRef.cc 2002-11-03 23:15:37.000000000 +0100
+++ tetex-bin-2.0.2/libs/xpdf/xpdf/XRef.cc 2005-04-05 21:46:31.000000000 +0200
@@ -481,6 +481,9 @@
} else {
keyLength = 5;
}
+ if (keyLength > 16) {
+ keyLength = 16;
+ }
permFlags = permissions.getInt();
if (encVersion >= 1 && encVersion <= 2 &&
encRevision >= 2 && encRevision <= 3) {
--===============0832715301==--
---------------------------------------
Received: (at 303288-done) by bugs.debian.org; 6 Apr 2005 14:32:39 +0000
>From jmm@inutil.org Wed Apr 06 07:32:39 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DJBaB-0007hK-00; Wed, 06 Apr 2005 07:32:39 -0700
Received: from p54897291.dip.t-dialin.net ([84.137.114.145] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DJBa9-0000Cx-6q
for 303288-done@bugs.debian.org; Wed, 06 Apr 2005 16:32:37 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DJBa6-0001dc-3P
for 303288-done@bugs.debian.org; Wed, 06 Apr 2005 16:32:34 +0200
Date: Wed, 6 Apr 2005 16:32:33 +0200
To: 303288-done@bugs.debian.org
Subject: I missed the missing encryption support
Message-ID: <20050406143233.GA5968@informatik.uni-bremen.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.8i
From: Moritz Muehlenhoff <jmm@inutil.org>
X-SA-Exim-Connect-IP: 84.137.114.145
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: 303288-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Hi,
I missed that. I'm closing the bug.
Cheers,
Moritz
Reply to: